From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sat, 30 Jul 2011 08:35:43 +0000 (+0000)
Subject: Additional escaping.
X-Git-Tag: 1.3.0~1616
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=c3be706ce572f7a7e1c5f47b62215a1aeb66ee2c;p=redmine.git

Additional escaping.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6327 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/helpers/custom_fields_helper.rb b/app/helpers/custom_fields_helper.rb
index 3028cd4ed..bcc4cfa11 100644
--- a/app/helpers/custom_fields_helper.rb
+++ b/app/helpers/custom_fields_helper.rb
@@ -57,7 +57,7 @@ module CustomFieldsHelper
   
   # Return custom field label tag
   def custom_field_label_tag(name, custom_value)
-    content_tag "label", custom_value.custom_field.name +
+    content_tag "label", h(custom_value.custom_field.name) +
 	(custom_value.custom_field.is_required? ? " <span class=\"required\">*</span>" : ""),
 	:for => "#{name}_custom_field_values_#{custom_value.custom_field.id}",
 	:class => (custom_value.errors.empty? ? nil : "error" )
diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb
index 31a363d28..e65e957b6 100644
--- a/app/helpers/queries_helper.rb
+++ b/app/helpers/queries_helper.rb
@@ -24,7 +24,7 @@ module QueriesHelper
   def column_header(column)
     column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption,
                                                         :default_order => column.default_order) : 
-                      content_tag('th', column.caption)
+                      content_tag('th', h(column.caption))
   end
   
   def column_content(column, issue)
diff --git a/app/helpers/sort_helper.rb b/app/helpers/sort_helper.rb
index a1808a056..e7b2ba7c0 100644
--- a/app/helpers/sort_helper.rb
+++ b/app/helpers/sort_helper.rb
@@ -205,7 +205,7 @@ module SortHelper
      # Add project_id to url_options
     url_options = url_options.merge(:project_id => params[:project_id]) if params.has_key?(:project_id)
 
-    link_to_content_update(caption, url_options, :class => css)
+    link_to_content_update(h(caption), url_options, :class => css)
   end
 
   # Returns a table header <th> tag with a sort link for the named column
diff --git a/app/views/context_menus/issues.html.erb b/app/views/context_menus/issues.html.erb
index 7b67c65c7..34861c917 100644
--- a/app/views/context_menus/issues.html.erb
+++ b/app/views/context_menus/issues.html.erb
@@ -14,7 +14,7 @@
 		<a href="#" class="submenu" onclick="return false;"><%= l(:field_status) %></a>
 		<ul>
 		<% @statuses.each do |s| -%>
-		    <li><%= context_menu_link s.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {:status_id => s}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(s.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {:status_id => s}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && s == @issue.status), :disabled => !(@can[:update] && @allowed_statuses.include?(s)) %></li>
 		<% end -%>
 		</ul>
@@ -26,7 +26,7 @@
 		<a href="#" class="submenu"><%= l(:field_tracker) %></a>
 		<ul>
 		<% @trackers.each do |t| -%>
-		    <li><%= context_menu_link t.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'tracker_id' => t}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(t.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'tracker_id' => t}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && t == @issue.tracker), :disabled => !@can[:edit] %></li>
 		<% end -%>
 		</ul>
@@ -37,7 +37,7 @@
 		<a href="#" class="submenu"><%= l(:field_priority) %></a>
 		<ul>
 		<% @priorities.each do |p| -%>
-		    <li><%= context_menu_link p.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'priority_id' => p}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(p.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'priority_id' => p}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && p == @issue.priority), :disabled => (!@can[:edit] || @issues.detect {|i| !i.leaf?}) %></li>
 		<% end -%>
 		</ul>
@@ -62,7 +62,7 @@
 		<a href="#" class="submenu"><%= l(:field_assigned_to) %></a>
 		<ul>
 		<% @assignables.each do |u| -%>
-		    <li><%= context_menu_link u.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'assigned_to_id' => u}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(u.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'assigned_to_id' => u}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && u == @issue.assigned_to), :disabled => !@can[:update] %></li>
 		<% end -%>
 		    <li><%= context_menu_link l(:label_nobody), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'assigned_to_id' => 'none'}, :back_url => @back}, :method => :post,
@@ -75,7 +75,7 @@
 		<a href="#" class="submenu"><%= l(:field_category) %></a>
 		<ul>
 		<% @project.issue_categories.each do |u| -%>
-		    <li><%= context_menu_link u.name, {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'category_id' => u}, :back_url => @back}, :method => :post,
+		    <li><%= context_menu_link h(u.name), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'category_id' => u}, :back_url => @back}, :method => :post,
 		                              :selected => (@issue && u == @issue.category), :disabled => !@can[:update] %></li>
 		<% end -%>
 		    <li><%= context_menu_link l(:label_none), {:controller => 'issues', :action => 'bulk_edit', :ids => @issues.collect(&:id), :issue => {'category_id' => 'none'}, :back_url => @back}, :method => :post,
diff --git a/app/views/custom_fields/_form.rhtml b/app/views/custom_fields/_form.rhtml
index 2900af900..7bbce5d57 100644
--- a/app/views/custom_fields/_form.rhtml
+++ b/app/views/custom_fields/_form.rhtml
@@ -82,7 +82,7 @@ when "IssueCustomField" %>
     
     <fieldset><legend><%=l(:label_tracker_plural)%></legend>
     <% for tracker in @trackers %>
-        <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= tracker.name %>
+        <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%=h tracker.name %>
     <% end %>
 		<%= hidden_field_tag "custom_field[tracker_ids][]", '' %>
     </fieldset>
diff --git a/app/views/custom_fields/_index.rhtml b/app/views/custom_fields/_index.rhtml
index 21ae01bef..a6495fbfe 100644
--- a/app/views/custom_fields/_index.rhtml
+++ b/app/views/custom_fields/_index.rhtml
@@ -13,7 +13,7 @@
   <tbody>
 	<% (@custom_fields_by_type[tab[:name]] || []).sort.each do |custom_field| -%>
 		<tr class="<%= cycle("odd", "even") %>">
-			<td><%= link_to custom_field.name, :action => 'edit', :id => custom_field %></td>
+			<td><%= link_to h(custom_field.name), :action => 'edit', :id => custom_field %></td>
 			<td align="center"><%= l(Redmine::CustomFieldFormat.label_for(custom_field.field_format)) %></td>
 			<td align="center"><%= checked_image custom_field.is_required? %></td>
 			<% if tab[:name] == 'IssueCustomField' %>
diff --git a/app/views/issue_statuses/index.html.erb b/app/views/issue_statuses/index.html.erb
index 03f767252..9b6a552f7 100644
--- a/app/views/issue_statuses/index.html.erb
+++ b/app/views/issue_statuses/index.html.erb
@@ -19,7 +19,7 @@
   <tbody>  
 <% for status in @issue_statuses %>
   <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to status.name, :action => 'edit', :id => status %></td>
+  <td><%= link_to h(status.name), :action => 'edit', :id => status %></td>
   <% if Issue.use_status_for_done_ratio? %>
   <td align="center"><%= h status.default_done_ratio %></td>
   <% end %>
diff --git a/app/views/issues/_relations.rhtml b/app/views/issues/_relations.rhtml
index 12a39ddc4..022ed590b 100644
--- a/app/views/issues/_relations.rhtml
+++ b/app/views/issues/_relations.rhtml
@@ -16,7 +16,7 @@
     <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %>
     <%= link_to_issue(relation.other_issue(@issue), :truncate => 60) %>
 </td>
-<td class="status"><%= relation.other_issue(@issue).status.name %></td>
+<td class="status"><%=h relation.other_issue(@issue).status.name %></td>
 <td class="start_date"><%= format_date(relation.other_issue(@issue).start_date) %></td>
 <td class="due_date"><%= format_date(relation.other_issue(@issue).due_date) %></td>
 <td class="buttons"><%= link_to_remote(image_tag('link_break.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :id => relation},                                              
diff --git a/app/views/projects/_form.rhtml b/app/views/projects/_form.rhtml
index 9772a899c..45d0ff1c4 100644
--- a/app/views/projects/_form.rhtml
+++ b/app/views/projects/_form.rhtml
@@ -42,7 +42,7 @@
 <% @trackers.each do |tracker| %>
     <label class="floating">
     <%= check_box_tag 'project[tracker_ids][]', tracker.id, @project.trackers.include?(tracker) %>
-    <%= tracker %>
+    <%=h tracker %>
     </label>
 <% end %>
 <%= hidden_field_tag 'project[tracker_ids][]', '' %>
@@ -54,7 +54,7 @@
 <% @issue_custom_fields.each do |custom_field| %>
     <label class="floating">
 	<%= check_box_tag 'project[issue_custom_field_ids][]', custom_field.id, (@project.all_issue_custom_fields.include? custom_field), (custom_field.is_for_all? ? {:disabled => "disabled"} : {}) %>
-	<%= custom_field.name %>
+	<%=h custom_field.name %>
 	</label>
 <% end %>
 <%= hidden_field_tag 'project[issue_custom_field_ids][]', '' %>
diff --git a/app/views/reports/_details.rhtml b/app/views/reports/_details.rhtml
index c9cd88bb8..7b565a325 100644
--- a/app/views/reports/_details.rhtml
+++ b/app/views/reports/_details.rhtml
@@ -6,7 +6,7 @@
 <thead><tr>
 <th style="width:25%"></th>
 <% for status in @statuses %>
-<th style="width:<%= col_width %>%"><%= status.name %></th>
+<th style="width:<%= col_width %>%"><%=h status.name %></th>
 <% end %>
 <th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_open_issues_plural)%></strong></th>
 <th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_closed_issues_plural)%></strong></th>
@@ -15,7 +15,7 @@
 <tbody>
 <% for row in rows %>
 <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), 
+  <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), 
                                                 :set_filter => 1, 
                                                 :subproject_id => '!*',
                                                 "#{field_name}" => row.id %></td>
diff --git a/app/views/reports/_simple.rhtml b/app/views/reports/_simple.rhtml
index e82f376a1..8d47bba76 100644
--- a/app/views/reports/_simple.rhtml
+++ b/app/views/reports/_simple.rhtml
@@ -11,7 +11,7 @@
 <tbody>
 <% for row in rows %>
 <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), 
+  <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)), 
                                                 :set_filter => 1, 
                                                 :subproject_id => '!*',
                                                 "#{field_name}" => row.id %></td>
diff --git a/app/views/roles/index.html.erb b/app/views/roles/index.html.erb
index 41878146b..73c7e0841 100644
--- a/app/views/roles/index.html.erb
+++ b/app/views/roles/index.html.erb
@@ -13,7 +13,7 @@
   <tbody>
 <% for role in @roles %>
   <tr class="<%= cycle("odd", "even") %>">
-  <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(role.name, :action => 'edit', :id => role)) %></td>
+  <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(h(role.name), :action => 'edit', :id => role)) %></td>
   <td align="center" style="width:15%;">
   <% unless role.builtin? %>
     <%= reorder_links('role', {:action => 'edit', :id => role}) %>
diff --git a/app/views/trackers/index.html.erb b/app/views/trackers/index.html.erb
index ab6eba575..c4981ccd3 100644
--- a/app/views/trackers/index.html.erb
+++ b/app/views/trackers/index.html.erb
@@ -14,7 +14,7 @@
   <tbody>
 <% for tracker in @trackers %>
   <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to tracker.name, :action => 'edit', :id => tracker %></td>
+  <td><%= link_to h(tracker.name), :action => 'edit', :id => tracker %></td>
   <td align="center"><% unless tracker.workflows.count > 0 %><span class="icon icon-warning"><%= l(:text_tracker_no_workflow) %> (<%= link_to l(:button_edit), {:controller => 'workflows', :action => 'edit', :tracker_id => tracker} %>)</span><% end %></td>
   <td align="center" style="width:15%;"><%= reorder_links('tracker', {:action => 'edit', :id => tracker}) %></td>
   <td class="buttons">